Security UPDATE--Another Perspective on OS Haste--July 26, 2006


Surf Control

SPI Dynamics




IN FOCUS: Another Perspective on OS Haste


- Microsoft Gains Winternals Expertise

- Skype Protocol Cracked?

- Zero-Day PowerPoint Exploit on the Loose

- Authentication Options

- Recent Security Vulnerabilities


- Security Matters Blog: Who Is Connected to Your Systems?

- FAQ: Security Assessment

- From the Forum: Network Drive Folders

- Calling All Windows It Pro Innovators

- Take the Windows IT Pro Salary Survey

- Share Your Security Tips


- More Security Events Managed Faster

- Tell Us About a Hot Product




=== SPONSOR: Surf Control


Achieve compliance in today's complex regulatory environment, while managing threats to the inward- and outward-bound communications vital to your business. Adopt a best-practices approach, such as the one outlined in the international information security standard ISO/IEC 17799:2005. Download the whitepaper today to secure the confidentiality, availability and integrity of your corporate information!

=== IN FOCUS: Another Perspective on OS Haste


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about Microsoft CEO Steve Ballmer's comment, "Rest assured we will never have a gap between Windows releases as long as the one between XP and Windows Vista." My perspective was that longer release cycles often help with the security aspects of OS development, primarily because they provide more time to work on features and functions.

I received a response from a reader who has a different perspective on release cycles. The reader wrote that we might "be better off from a security \[point of view\] shipping \[OS releases\] more rapidly." The reader argues that "threats evolve quickly, and so must our responses. \[Not to imply\] that it is OK to turn out bad quality, but quick \[OS upgrade turnaround times\] give \[developers\] more flexibility to respond to changing conditions. \[On the other hand,\] it's hard to \[create\] really innovative stuff in short stages, so there also need to be some long cycles to accommodate \[the truly creative aspects of OS evolution\]."

He continues, "Here's another wrinkle to consider: If you go a long time between releases, upgrading becomes harder, and the \[end users\] stay on the old version longer. \[It seemed like\] it was going to take forever for people to migrate \[away from Windows NT 4.0.\] A lot of \[the migration delay was\] because it was a fairly long haul between NT 4.0 and Win2K, and there were a lot of changes \[including\] a whole new \[user interface\], a whole new administration model, etc. \[Because of such dramatic differences, end users kept using\] the old \[OS\] longer, which isn't good for security. \[So it appears that\] if we want to optimize for security, we need to shorten the upgrade cycle, not lengthen it."

The reader also offered some observations about Microsoft Office: First, Microsoft did a good job of upgrading the Office suite, including auditing the code to find faults that could have led to security problems. Because of the security focus placed on the Office suite, there weren't many vulnerabilities for roughly two years. However, the reader pointed out that a few significant changes took place in the security community in the meantime: "The attackers have a business model--vulns do sell for about $25K--and they're using some reasonably sophisticated fuzzers." (Fuzzers inject all sorts of data into applications to look for weaknesses).

The reader's opinion is that effectively all the work Microsoft did on Office bought the company about two years of time. But, because of unforeseen developments in the realms of intrusion, Microsoft could have actually used three years of time without vulnerabilities because that's how long it's taking to ready the next release of Office. Therefore, "if the release cycle of Office were shorter, they'd be in a better defensive position, but then again, \[Microsoft\] can't \[develop the really creative stuff, as seen in the new version of Office\] on a short cycle."

So there you have it: A very different perspective from the one I presented last week. My thanks to the reader (who wished to remain unnamed) for providing an argument that makes a lot of sense.

=== SPONSOR: SPI Dynamics


ALERT: "How A Hacker Launches A LDAP Injection Attack!" White Paper

It's as simple as placing additional LDAP query commands into a Web form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because LDAP Injections are seen as valid data. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!



Microsoft Gains Winternals Expertise

Microsoft announced last week that it had acquired privately held Winternals Software, which is widely known for its commercial and freeware Windows tools.

Skype Protocol Cracked?

The hugely popular VoIP software Skype uses a proprietary protocol. But now a Chinese company has reportedly reverse-engineered the Skype protocol and plans to release compatible software in the near future.

Zero-Day PowerPoint Exploit on the Loose

A new flaw has been discovered in Microsoft PowerPoint that could allow intruders to execute remote code if a user opens an affected PowerPoint file. An exploit is circulating that includes a Trojan horse that opens a backdoor into the system. Microsoft is aware of the problem, but no patch is available at this time.

Authentication Options

What can a security administrator do to avoid the risks associated with passwords? A bewildering array of alternatives to the use of usernames and passwords exists. Three of the most popular alternatives are smart cards, tokens, and biometric readers. John Howie discusses the pros and cons of each solution and the scenarios in which they work best.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: CrossTec


Are you spending too much time monitoring security logs?

Activeworx collects event logs from all your security devices and vendors to provide a single Dashboard view along with correlated alerts; hundreds of compliance reports; and deep forensics tools. Easy to install and use. Free White Paper or Try Activeworx yourself - 30 minute Install & Free Tech Support.



SECURITY MATTERS BLOG: Who Is Connected to Your Systems?

by Mark Joseph Edwards,

WhoIsConnected is a nifty tool that lets you see what connections are open on your systems. The tool goes beyond the functionality found in Microsoft's staple Netstat command-line tool.

FAQ: Security Assessment

by John Savill,

Q: How can I perform a high-level security assessment of my company's computing environment?

Find the answer at

FROM THE FORUM: Network Drive Folders

A forum participant would like to hear the pros and cons of putting passwords on individual files that are shared among users in multiple locations around the country.


Have you developed a solution that uses Windows technology to solve a business problem in an innovative way? Enter your solution in the 2006 Windows IT Pro Innovators Contest! Grand-prize winners will receive airfare and a conference pass to Windows and Exchange Connections in Las Vegas, November 6-9, 2006, plus more great prizes and a feature article about the winning solutions in the November 2006 issue of Windows IT Pro. Contest runs through August 1, 2006.

To enter, go to


We need your help! Windows IT Pro is launching its third Windows IT Pro Industry Salary Survey, and we want to find out all about you and what makes you a satisfied IT pro. When you complete the survey (about 10 minutes of your time), you'll be entered in a drawing for one of five $100 American Express gift certificates. Look for the survey results--and how you stack up against your peers--in our December issue. To take the survey, go to


Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

More Security Events Managed Faster

eIQnetworks announced the general availability of Enterprise Security Analyzer (ESA) 2.5. eIQ says the performance of this latest version of its event management application has improved 100 percent: ESA 2.5 can process 15,000 events per second on one server and tens of thousands of events per second across multiple servers. ESA 2.5 also adds Oracle and Microsoft SQL Server event management, support for Payment Card Industry (PCI) guidelines, and compliance modules for major federal and industry mandates including Sarbanes Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Management Act (FISMA), and the Health Information Portability and Accountability Act (HIPAA). The entry price of $7995 includes licensing for five devices and five hosts. For more information, go to

Tell Us About a Hot Product and Get a Best Buy Gift Card!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Best Buy Gift Card if we write about the product in a Windows IT Pro What's Hot column. Send your product suggestion with information about how the product has helped you to [email protected]



Learn to easily configure and deploy desktop spyware protection throughout your organization by using policy-based deployment, AD support, an Admin Console for easy centralized management, and one of the most robust spyware threat databases in the industry. View the demo today!

Is your continuity solution letting you down? If you're not getting 100% coverage against lost or missing messages, even for short, unplanned outages, you might be jeopardizing your messaging system integrity and your company productivity. Learn how to manage disruptions to your messaging environment without breaking the bank in the process. Live Event: Tuesday, August 3

Gain control of your messaging data with step-by-step instructions for complying with the law and ensuring your systems are working properly, and ultimately make your job easier. Download the latest eBook chapter today: Hardware and Software Implementation

Take the necessary steps for managing application migration to a new OS, from converting legacy applications to MSI to customizing applications to fit corporate standards. Don't overlook an important component of an OS migration--join us for this free Web seminar, now available on demand.

Gear up for TechX World Roadshow

Hear first-hand from today's leading interoperability experts, vendors, and peers at this exclusive one-day event. You'll learn about OS interoperability management, directory migration, data interoperability, and much more. This event provides in-depth information on how Windows and other systems cooperate with each other.



On average, enterprises spend $10 million anually on IT compliance. How much is your company spending? Learn to streamline and automate the compliance life cycle and reduce your costs today!



Invitation for VIP Access

Become a VIP subscriber and get continuous, inside access to ALL content published in Windows IT Pro, SQL Server Magazine, and the Exchange & Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get a valuable one-year print subscription to Windows IT Pro and two VIP CDs that include the entire article database and are delivered twice per year. Order now:

Save $40 off Windows IT Pro Magazine

Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll also get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected]

to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.